Stay organized with collections
Save and categorize content based on your preferences.
Google SecOps events schema
In BigQuery, the table called events stores UDM event records.
The hour_time_bucket field identifies the partition as the hour of day in the
metadata.event_timestamp UDM field. Values in the hour_time_bucket field
are hourly time stamps that take the form: <YYYY-MM-DD HH:MM:SS UTC>. Here are examples:
2022-05-20 00:00:00 UTC
2022-05-20 01:00:00 UTC
2022-05-20 02:00:00 UTC
2022-05-20 03:00:00 UTC
For example, the value 2022-05-20 00:00:00 UTC labels data with an event_timestamp between 2022-05-20 00:00:00 UTC and 2022-05-20 00:59:59 UTC. For more information, see
Query partitioned tables.
The amount of time it takes for data to appear in the events table depends
on the difference between when the device records the event, the metadata.event_timestamp,
and when that event is ingested to Google Security Operations SIEM, the metadata.ingested_timestamp.
The following summarizes the time it takes for data to appear in the events table after it is received by Google Security Operations:
If the difference is less than two hours, then data appears approximately
2 hours after it is ingested.
If the difference is between 2 hours and 24 hours, it may take up to 4 hours for
data to appear after it is ingested.
If the difference is more than 24 hours, it may take up to 5 days for data to
appear after it is ingested.
The events table schema changes regularly. To view information about the table,
including the current schema, see the BigQuery instructions for getting table information.
To access the events schema, do the following:
Open the Google Cloud console, and then select the Google SecOps project ID
that your Google SecOps representative provided shared with you.
Select BigQuery > BigQuery Studio > datalake > events.
Figure: events table in BigQuery
Events data model for dashboards
In Google SecOps embedded dashboards, you'll notice the data structure called UDM Events.
This is a Looker data model created for the events table in BigQuery.
The table includes the most commonly used UDM fields. It does not include all UDM
fields. If there are missing UDM fields you need to have incorporated into a
personalized dashboard, contact your Google SecOps representative.
To view fields in this Explore, perform the following steps:
In the navigation bar, click Dashboards.
Create a new dashboard (click Add > Create New) or edit an existing dashboard.
Add a Tile.
Select Visualization as the type if prompted.
In the list of tables, select UDM Events.
Browse the list of fields.
Figure: Field list in Google SecOps Events data model
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe \u003cem\u003eevents\u003c/em\u003e table in BigQuery stores UDM event records from Google Security Operations, partitioned hourly, based on the \u003ccode\u003emetadata.event_timestamp\u003c/code\u003e UDM field and identified by the \u003ccode\u003ehour_time_bucket\u003c/code\u003e field.\u003c/p\u003e\n"],["\u003cp\u003eData in the \u003cem\u003eevents\u003c/em\u003e table may take anywhere from 2 hours to 5 days to appear after it is ingested by Google Security Operations, depending on the time difference between the device recording the event and when Google Security Operations receives the event.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cem\u003eUDM Events\u003c/em\u003e data structure, found in Google Security Operations embedded dashboards, is a Looker data model representing the \u003cem\u003eevents\u003c/em\u003e table in BigQuery, containing the most commonly used UDM fields.\u003c/p\u003e\n"],["\u003cp\u003eTo view the most recent schema of the \u003ccode\u003eevents\u003c/code\u003e table, you need to go to the Google Cloud console, select BigQuery, and then select the datalake > events.\u003c/p\u003e\n"],["\u003cp\u003eMissing fields that you want in your dashboard need to be requested from your Google Security Operations representative.\u003c/p\u003e\n"]]],[],null,["# Google SecOps events schema\n===========================\n\nIn BigQuery, the table called *events* stores UDM event records.\n\nThe `hour_time_bucket` field identifies the partition as the hour of day in the\n`metadata.event_timestamp` UDM field. Values in the *hour_time_bucket* field\nare hourly time stamps that take the form: *\\\u003cYYYY-MM-DD HH:MM:SS UTC\\\u003e*. Here are examples:\n\n- 2022-05-20 00:00:00 UTC\n- 2022-05-20 01:00:00 UTC\n- 2022-05-20 02:00:00 UTC\n- 2022-05-20 03:00:00 UTC\n\nFor example, the value *2022-05-20 00:00:00 UTC* labels data with an event_timestamp between 2022-05-20 **00:00:00** UTC and 2022-05-20 **00:59:59** UTC. For more information, see\n[Query partitioned tables](/bigquery/docs/querying-partitioned-tables).\n\nThe amount of time it takes for data to appear in the `events` table depends\non the difference between when the device records the event, the `metadata.event_timestamp`,\nand when that event is ingested to Google Security Operations SIEM, the `metadata.ingested_timestamp`.\n\nThe following summarizes the time it takes for data to appear in the `events` table after it is received by Google Security Operations:\n\n- If the difference is less than two hours, then data appears approximately 2 hours after it is ingested.\n- If the difference is between 2 hours and 24 hours, it may take up to 4 hours for data to appear after it is ingested.\n- If the difference is more than 24 hours, it may take up to 5 days for data to appear after it is ingested.\n\nThe `events` table schema changes regularly. To view information about the table,\nincluding the current schema, see the BigQuery instructions for [getting table information](/bigquery/docs/tables#get_table_information).\n\nTo access the `events` schema, do the following:\n\n1. Open the Google Cloud console, and then select the Google SecOps project ID that your Google SecOps representative provided shared with you.\n2. Select **BigQuery** \\\u003e **BigQuery Studio** \\\u003e **datalake** \\\u003e **events**.\n\n **Figure: `events` table in BigQuery**\n\n`Events` data model for dashboards\n----------------------------------\n\nIn Google SecOps embedded dashboards, you'll notice the data structure called *UDM Events* .\nThis is a Looker data model created for the `events` table in BigQuery.\n\nThe table includes the most commonly used UDM fields. It does not include all UDM\nfields. If there are missing UDM fields you need to have incorporated into a\npersonalized dashboard, contact your Google SecOps representative.\n\nTo view fields in this Explore, perform the following steps:\n\n1. In the navigation bar, click **Dashboards**.\n2. Create a new dashboard (click **Add \\\u003e Create New**) or edit an existing dashboard.\n3. Add a Tile.\n4. Select **Visualization** as the type if prompted.\n5. In the list of tables, select **UDM Events**.\n6. Browse the list of fields.\n\n **Figure: Field list in Google SecOps Events data model**\n\nWhat's next\n-----------\n\n- View a description of each UDM field in the [Unified Data Model field list](/chronicle/docs/reference/udm-field-list).\n- For information about accessing and running queries in BigQuery, see [Run interactive and batch query jobs](/bigquery/docs/running-queries).\n- For information about how to query partitioned tables, see [Query partitioned tables](/bigquery/docs/querying-partitioned-tables).\n- For information about how to connect Looker to BigQuery, see Looker documentation about [connecting to BigQuery](/looker/docs/db-config-google-bigquery).\n- Information about how to [query partitioned tables](/bigquery/docs/querying-partitioned-tables)."]]
